Kartikey Sapra
Creates and executes the following file:

%CurrentFolder%\hms.exe

Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.



Creates the following files:

* %System%\Zykheptd.dll
* %System%\Zykheptd.sys

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Injects %System%\Zykheptd.dll into the following Windows process:

SVCHOST.EXE


Creates a hidden device service, which is a kernel-mode rootkit that enables the Trojan to hide the any files and registry entries it creates.


Creates registry entries under the following registry subkeys when creating the above service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Zykheptd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_ZYKHEPTD


Adds the value:

"ServiceDLL" =" %System%\Zykheptd.dll"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\dmserver\Parameters


Adds the value:

"(default)" = "rundll32.exe [PATH TO TROJAN DLL FILE], Do98Work"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run

so that it runs every time Windows starts, on computers running Windows 9X.

Attempts to open a back door on the compromised computer by connecting to the following domain, on TCP ports 80 and 8080:

data.lovequintet.com


Allows a remote attacker to use this back door to perform the following actions on the compromised computer:

* List active ports
* List processes, services, and threads
* Download and execute remote files
* Upload files
* Run a system shell
* Modify registry entries
* End processes
* Get system and network information

Arrives on the compromised computer as a malicious Mcft Access file that exploits the Mcft Jet Database Engine Malformed Database File Buffer Overflow vulnerability (As described in Security Focus BID 12960).


I AM NOT RESPONSIBLE FOR ANYTHING USE IT YOUR OWN RISK

Labels: ,
0 Responses

Post a Comment